Gathering detailed insights and metrics for @opentelemetry/instrumentation
Gathering detailed insights and metrics for @opentelemetry/instrumentation
OpenTelemetry JavaScript Client
Installations
npm install @opentelemetry/instrumentationDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, UMD
Min. Node Version
^18.19.0 || >=20.6.0
Node Version
18.20.8
NPM Version
lerna/6.6.2/node@v18.20.8+x64 (linux)
Score
94.8
Supply Chain
99.2
Quality
92.6
Maintenance
100
Vulnerability
99.3
License
Releases
149
experimental/v0.202.0
experimental/v0.202.0
Updated on Jun 02, 2025
semconv/v1.34.0
semconv/v1.34.0
Updated on May 21, 2025
semconv/v1.33.1
semconv/v1.33.1
Updated on May 20, 2025
experimental/v0.201.1
experimental/v0.201.1
Updated on May 19, 2025
experimental/v0.201.0
experimental/v0.201.0
Updated on May 15, 2025
v2.0.1
v2.0.1
Updated on May 15, 2025
Languages
4
TypeScript
JavaScript
Jinja
Shell
TypeScript (96.66%)
JavaScript (3.06%)
Jinja (0.19%)
Shell (0.08%)
Developer
Download Statistics
Total Downloads
1,030,144,446
Last Day
839,920
Last Week
18,630,596
Last Month
76,336,123
Last Year
689,463,358
GitHub Statistics
Apache-2.0 License
3,020 Stars
2,702 Commits
899 Forks
53 Watchers
15 Branches
337 Contributors
Updated on Jun 30, 2025
Bundle Size
5.26 kB
Minified
1.91 kB
Minified + Gzipped
Maintainers
3
Package Meta Information
Latest Version
0.202.0
Package Id
@opentelemetry/instrumentation@0.202.0
Unpacked Size
639.85 kB
Size
83.65 kB
File Count
203
NPM Version
lerna/6.6.2/node@v18.20.8+x64 (linux)
Node Version
18.20.8
Published on
Jun 02, 2025
Total Downloads
Cumulative downloads
Total Downloads
1,030,144,446
Last Day
5.5%
839,920
Compared to previous day
Last Week
-3.9%
18,630,596
Compared to previous week
Last Month
4.4%
76,336,123
Compared to previous month
Last Year
178.9%
689,463,358
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
Dev Dependencies
26
@babel/core@babel/preset-env@opentelemetry/api@opentelemetry/sdk-metrics@types/mocha@types/node@types/sinon@types/webpack-envbabel-loaderbabel-plugin-istanbulcodecovcross-varkarmakarma-chrome-launcherkarma-coveragekarma-mochakarma-spec-reporterkarma-webpacklernamochanycsinonts-loadertypescriptwebpackwebpack-cli
OpenTelemetry Instrumentation for web and node
Note: This is an experimental package under active development. New releases may include breaking changes.
Installation
Note: Much of OpenTelemetry JS documentation is written assuming the compiled application is run as CommonJS. For more details on ECMAScript Modules vs CommonJS, refer to esm-support.
1npm install --save @opentelemetry/instrumentation
Usage in Node
1import { 2 InstrumentationBase, 3 InstrumentationConfig, 4 InstrumentationNodeModuleDefinition, 5 InstrumentationNodeModuleFile, 6} from '@opentelemetry/instrumentation'; 7 8import type * as module_name_to_be_patched from 'module_name_to_be_patched'; 9 10export class MyInstrumentation extends InstrumentationBase { 11 constructor(config: InstrumentationConfig = {}) { 12 super('MyInstrumentation', VERSION, config); 13 } 14 15 /** 16 * Init method will be called when the plugin is constructed. 17 * It returns an `InstrumentationNodeModuleDefinition` which describes 18 * the node module to be instrumented and patched. 19 * It may also return a list of `InstrumentationNodeModuleDefinition`s if 20 * the plugin should patch multiple modules or versions. 21 */ 22 protected init() { 23 const module = new InstrumentationNodeModuleDefinition( 24 'module_name_to_be_patched', 25 ['1.*'], 26 this._onPatchMain, 27 this._onUnPatchMain, 28 ); 29 // in case you need to patch additional files - this is optional 30 module.files.push(this._addPatchingMethod()); 31 32 return module; 33 // you can also define more modules then just return an array of modules 34 // return [module1, module2, ....] 35 } 36 37 private _onPatchMain(moduleExports: typeof module_name_to_be_patched) { 38 this._wrap( 39 moduleExports, 40 'mainMethodName', 41 this._patchMainMethodName() 42 ); 43 return moduleExports; 44 } 45 46 private _onUnPatchMain(moduleExports: typeof module_name_to_be_patched) { 47 this._unwrap(moduleExports, 'mainMethodName'); 48 } 49 50 private _addPatchingMethod(): InstrumentationNodeModuleFile { 51 const file = new InstrumentationNodeModuleFile( 52 'module_name_to_be_patched/src/some_file.js', 53 this._onPatchMethodName, 54 this._onUnPatchMethodName, 55 ); 56 return file; 57 } 58 59 private _onPatchMethodName(moduleExports: typeof module_name_to_be_patched) { 60 this._wrap( 61 moduleExports, 62 'methodName', 63 this._patchMethodName() 64 ); 65 return moduleExports; 66 } 67 68 private _onUnPatchMethodName(moduleExports: typeof module_name_to_be_patched) { 69 this._unwrap(moduleExports, 'methodName'); 70 } 71 72 private _patchMethodName(): (original) => any { 73 const plugin = this; 74 return function methodName(original) { 75 return function patchMethodName(this: any): PromiseOrValue<module_name_to_be_patched.methodName> { 76 console.log('methodName', arguments); 77 return original.apply(this, arguments); 78 }; 79 }; 80 } 81 82 private _patchMainMethodName(): (original) => any { 83 const plugin = this; 84 return function mainMethodName(original) { 85 return function patchMainMethodName(this: any): PromiseOrValue<module_name_to_be_patched.mainMethodName> { 86 console.log('mainMethodName', arguments); 87 return original.apply(this, arguments); 88 }; 89 }; 90 } 91} 92 93// Later, but before the module to instrument is required 94 95const myInstrumentation = new MyInstrumentation(); 96myInstrumentation.setTracerProvider(provider); // this is optional, only if global TracerProvider shouldn't be used 97myInstrumentation.setMeterProvider(meterProvider); // this is optional 98myInstrumentation.enable(); 99// or use Auto Loader
Usage in Web
1import { 2 InstrumentationBase, 3 InstrumentationConfig, 4} from '@opentelemetry/instrumentation'; 5 6import { Instrumentation } from '@opentelemetry/instrumentation'; 7 8export class MyInstrumentation extends InstrumentationBase { 9 constructor(config: InstrumentationConfig = {}) { 10 super('MyInstrumentation', VERSION, config); 11 } 12 13 private _patchOpen() { 14 return (original: OpenFunction): OpenFunction => { 15 const plugin = this; 16 return function patchOpen(this: XMLHttpRequest, ...args): void { 17 console.log('open', arguments); 18 return original.apply(this, args); 19 }; 20 }; 21 } 22 23 public enable() { 24 this._wrap(XMLHttpRequest.prototype, 'open', this._patchOpen()); 25 } 26 public disable() { 27 this._unwrap(XMLHttpRequest.prototype, 'open'); 28 } 29} 30 31// Later 32 33const myInstrumentation = new MyInstrumentation(); 34myInstrumentation.setTracerProvider(provider); // this is optional, only if global TracerProvider shouldn't be used 35myInstrumentation.setMeterProvider(meterProvider); // this is optional, only if global MeterProvider shouldn't be used 36myInstrumentation.enable(); 37// or use Auto Loader
AutoLoader
NODE - Auto Loader
1const { B3Propagator } = require('@opentelemetry/propagator-b3'); 2const { registerInstrumentations } = require('@opentelemetry/instrumentation'); 3const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http'); 4const { NodeTracerProvider } = require('@opentelemetry/sdk-trace-node'); 5 6const tracerProvider = new NodeTracerProvider(); 7 8tracerProvider.register({ 9 propagator: new B3Propagator(), 10}); 11 12registerInstrumentations({ 13 instrumentations: [ 14 new HttpInstrumentation(), 15 ], 16 //tracerProvider: tracerProvider, // optional, only if global TracerProvider shouldn't be used 17 //meterProvider: meterProvider, // optional, only if global MeterProvider shouldn't be used 18}); 19
WEB - Auto Loader
1const { B3Propagator } = require('@opentelemetry/propagator-b3'); 2const { registerInstrumentations } = require('@opentelemetry/instrumentation'); 3const { XMLHttpRequestInstrumentation } = require('@opentelemetry/instrumentation-xml-http-request'); 4const { WebTracerProvider } = require('@opentelemetry/sdk-trace-web'); 5 6const tracerProvider = new WebTracerProvider(); 7 8tracerProvider.register({ 9 propagator: new B3Propagator(), 10}); 11 12registerInstrumentations({ 13 instrumentations: [ 14 new XMLHttpRequestInstrumentation({ 15 ignoreUrls: [/localhost/], 16 propagateTraceHeaderCorsUrls: [ 17 'http://localhost:8090', 18 ], 19 }), 20 ], 21 //tracerProvider: tracerProvider, // optional, only if global TracerProvider shouldn't be used 22 //meterProvider: meterProvider, // optional, only if global MeterProvider shouldn't be used 23});
Selection of the used TracerProvider/MeterProvider
The registerInstrumentations() API allows to specify which TracerProvider and/or MeterProvider to use by the given options object.
If nothing is specified the global registered provider is used. Usually this is what most users want therefore it's recommended to keep this default.
There might be use case where someone has the need for more providers within an application. Please note that special care must be takes in such setups
to avoid leaking information from one provider to the other because there are a lot places where e.g. the global ContextManager or Propagator is used.
Instrumentation for ECMAScript Modules (ESM) in Node.js (experimental)
Node.js uses a different module loader for ECMAScript Modules (ESM) vs. CommonJS (CJS).
A require() call will cause Node.js to use the CommonJS module loader.
An import ... statement or import() call will cause Node.js to use the ECMAScript module loader.
If your application is written in JavaScript as ESM, or it must compile to ESM from TypeScript, then a loader hook is required to properly patch instrumentation.
The custom hook for ESM instrumentation is --experimental-loader=@opentelemetry/instrumentation/hook.mjs.
This flag must be passed to the node binary, which is often done as a startup command and/or in the NODE_OPTIONS environment variable.
For more details on ECMAScript Modules vs CommonJS, refer to esm-support.
Limitations
Instrumentations for external modules (e.g. express, mongodb,...) hooks the require call or import statement. Therefore following conditions need to be met that this mechanism can work:
- Instrumentations are registered before the module to instrument is
requireed (CJS only) - modules are not included in a bundle. Tools like
esbuild,webpack, ... usually have some mechanism to exclude specific modules from bundling
License
Apache 2.0 - See LICENSE for more information.
Third-party licenses and copyright notices can be found in the LICENSES directory.
Useful links
- For more information on OpenTelemetry, visit: https://opentelemetry.io/
- For help or feedback on this project, join us in GitHub Discussions
High
8.1/10
Summary
Unsanitized user controlled input in module generation
Affected Versions
>= 0.40.0, < 0.41.2
Patched Versions
0.41.2
Reason
update tool detected
Details
- Info: detected update tool: RenovateBot: renovate.json:1
Reason
30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found linked content: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/open-telemetry/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/open-telemetry/.github/SECURITY.md:1
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 43 contributing companies or organizations
Details
- Info: found contributions from: Azure, Dynatrace, MineWeb, Obsifight, Team-Retrospect, VilledeMontreal, WinterTC55, X-Profiler, bloomberg, causely-oss, ccowmu, census-instrumentation, dynatrace, dynatrace-oss, dynatrace-oss-contrib, elastic, emberjs, focale, google, googleapis, googlers, honeycombio, http4ts, mend, microsoft, new relic, nodejs, odigos, open-telemetry, opencensus-integrations, openprofiling, opentracing, rails, reelevant-tech, self-employed, sentry, servicenow, splunk, tc39, tilde inc, tildeio, villedemontreal, w3c
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/benchmark.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/changelog.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/changelog.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/close-stale.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/close-stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-or-update-release-pr.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/create-or-update-release-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-or-update-release-pr.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/create-or-update-release-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/docs.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/peer-api.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/peer-api.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/publish-to-npm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/publish-to-npm.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/sbom.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/survey-on-merged-pr.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/survey-on-merged-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit-test.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/unit-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/w3c-integration-test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/w3c-integration-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/w3c-integration-test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-js/w3c-integration-test.yml/main?enable=pin
- Warn: pipCommand not pinned by hash: integration-tests/tracecontext-integration-test.sh:13
- Warn: pipCommand not pinned by hash: integration-tests/tracecontext-integration-test.sh:14
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/create-or-update-release-pr.yml:49
- Warn: npmCommand not pinned by hash: .github/workflows/e2e.yml:35
- Warn: npmCommand not pinned by hash: .github/workflows/e2e.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/peer-api.yml:21
- Warn: npmCommand not pinned by hash: .github/workflows/peer-api.yml:24
- Warn: npmCommand not pinned by hash: .github/workflows/sbom.yml:22
- Warn: npmCommand not pinned by hash: .github/workflows/unit-test.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/unit-test.yml:46
- Info: 4 out of 39 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 7 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 pipCommand dependencies pinned
- Info: 11 out of 20 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/sbom.yml:65
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/survey-on-merged-pr.yml:16
- Warn: no topLevel permission defined: .github/workflows/benchmark.yml:1
- Warn: no topLevel permission defined: .github/workflows/changelog.yml:1
- Warn: no topLevel permission defined: .github/workflows/close-stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-or-update-release-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/docs.yaml:1
- Warn: no topLevel permission defined: .github/workflows/e2e.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/fossa.yml:9
- Warn: no topLevel permission defined: .github/workflows/label-releases.yml:1
- Warn: no topLevel permission defined: .github/workflows/lint.yml:1
- Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:11
- Warn: no topLevel permission defined: .github/workflows/peer-api.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish-to-npm.yml:1
- Info: topLevel permissions set to 'read-all': .github/workflows/sbom.yml:6
- Warn: no topLevel permission defined: .github/workflows/survey-on-merged-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/unit-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/w3c-integration-test.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact experimental/v0.202.0 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/222470909
- Warn: release artifact semconv/v1.34.0 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/220203794
- Warn: release artifact semconv/v1.33.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219906598
- Warn: release artifact experimental/v0.201.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219457664
- Warn: release artifact v2.0.1 not signed: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/218923142
- Warn: release artifact experimental/v0.202.0 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/222470909
- Warn: release artifact semconv/v1.34.0 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/220203794
- Warn: release artifact semconv/v1.33.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219906598
- Warn: release artifact experimental/v0.201.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/219457664
- Warn: release artifact v2.0.1 does not have provenance: https://api.github.com/repos/open-telemetry/opentelemetry-js/releases/218923142
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
13 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
6.4
/10
Last Scanned on 2025-06-30T07:48:53Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More